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sharing code of practice Information Commissioner's Office 


Data sharing can bring important benefits to organisations, citizens and 
consumers, making our lives easier and helping to deliver efficient 
services. It is important, however, that organisations who share personal 
data have high data protection standards, sharing data in ways that are 
fair, transparent and accountable. We also want controllers to be 
confident when dealing with data sharing matters so individuals can be 
confident their data has been shared securely and responsibly. 


As required by the Data Protection 2018, we are working on updating our 
data sharing code of practice, which was published in 2011. The updated 
code will explain and advise on changes to data protection legislation 
where these changes are relevant to data sharing. It will address many 
aspects of the new legislation including transparency, lawful bases for 
processing, the new accountability principle and the requirement to record 
processing activities. 


The updated data sharing code of practice will continue to provide 
practical guidance in relation to data sharing and will promote good 
practice in the sharing of personal data. In the first instance we will 
address the impact of the changes in data protection legislation on data 
sharing and will then move on to developing further case studies. Our 
intention is that, as well as legislative changes, the code will also deal 
with technical and other developments that have had an impact on data 
sharing since the publication of the last code in 2011. 


Before preparation of the code the Information Commissioner must 
consult with the Secretary of State. She is also seeking input from trade 
associations, data subjects and those representing the interests of data 
subjects. This call for views is the first stage of the consultation process. 
We will use the responses we receive to inform our work in developing the 
updated code. 


You can email your response to 


® 
CentralGovernment@ICO.org.uk 1CO 
®@ 


Information Commissioner's Office 


Or print and post to: 


Data Sharing Code Call for Evidence 
Central Government Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the call for evidence, please email 
the Central Government team. 


Please send us your views by 10 September 2018. 


Privacy statement 


For this call for evidence we will publish responses received from 
organisations but will remove any personal data before publication. We 
will not publish responses from individuals. For more information about 
what we do with personal data please see our privacy notice. 


Questions 


Qi We intend to revise the code to address the impact of changes in 
data protection legislation, where these changes are relevant to 
data sharing. What changes to the data protection legislation do 
you think we should focus on when updating the code? 


he current code of practice mentions joint controllers only once (in the 
definition of a data controller in Annex 2). 


he CJEU’s decisions in C210/16 Unabhängiges Landeszentrum für 
Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein 
mbH (the “Facebook Case”) and C25/17 Tietosuojavaltuutettu (the 


‘Jehovah’s Witnesses Case”) appear to substantially widen the concept of 
joint controllership under data protection law, particularly in the UK where 
he Data Protection Act 1998 also referred to the concept of controllers in 

ommon. The Facebook and Jehovah's Witnesses Cases, apply a joint 
ontroller relationship to arrangements where one of the party has little if 


any access to or control over the personal data being processed by the 
other party. 


This combined with the new requirement under Article 26 of GDPR for 
joint controllers to determine their respective responsibilities for 
compliance with GDPR means that detailed guidance is urgently required 
from the ICO on: 


e The factors for determining the existence of a joint controller 
relationship (with practical examples) and how to distinguish this 


from an independent controllers relationship 


How the CJEU’s comments in the Facebook and Jehovah’s Witnesses 
Cases in relation to joint controllers not being equally responsible is 
to be reconciled with Article 82 of GDPR. 


Whether the concept of controllers in common still exists under 
GDPR/following the Facebook and Jehovah's Witnesses Cases 


The level of detail required when documenting responsibilities under 
Article 26 of GDPR 
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legislation, are there other developments that are "formaton Commissioners ottice 
having an impact on your organisation’s data sharing practice that you 
would like us to address in the updated code? 


[| Yes 
No 


Q3 If yes (please specify) 


Q4 


OLI 


Does the 2011 data sharing code of practice strike the right 
balance between recognising the benefits of sharing personal data 
and the need to protect it? Please give details. 


Yes 


No 


ICO. 


Information Commissioner's Office 


Q5 If yes in what ways does it achieve this? 


Q6 If no, in what ways does it fail to strike the right balance? 


ico. 


Information Commissioner's Office 


Q7 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are covered in too much detail in the 
2011 code? 


Q8 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are not covered in enough detail in 
the 2011 code? 


See above re joint controllership arrangements. 


he use and approach to providing information notices under Articles 13 
and 14 of GDPR, where organisations are sharing personal data (or are 
jointly processing personal data), in particular the situations in which it is 


appropriate for a controller to rely upon Article 14(5) and what steps the 
ICO considers are necessary to make “the information [required under 
Article 14] publicly available.” 


ico. 


Information Commissioner's Office 


Q9 Is the 2011 code relevant to the types of data sharing your 
organisation is involved in? If not, which additional areas should 
we cover? 


N/A 


Q10 Please provide details of any case studies or data sharing scenarios 
that you would like to see included in the updated code? 


See above re joint controllership arrangements. None of the current 
examples identify the relationship between the parties involved. We 
Suggest that different scenarios are used to help controllers identify where 
a joint controllership arrangement exists and where it does not. 


e note that the ICO’s previous guidance on key definitions under data 


protection law (previously available at https://ico.org.uk/for- 
organisations/quide-to-data-protection/key-definitions/) used the scenario 
of a database provided by a central government department to enable 
ocal authorities to share personal data as an example of controllers in 


In contrast, paragraph 177 of the explanatory notes to the Data 
Protection Act 2018 
(http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpgaen_ 20180012 
en.pdf) uses the Police National Computer as an example of joint 


controllership (between the chief constables). 


It is not clear why one example is considered to be controllers in common 
and the other joint controllership. 


Information Commissioner's Office 


Q11 Is there anything the 2011 code does not cover that you think it 
should? Please provide details. 


he relationship between a controller and the Royal Mail/a courier service 
ncluding the ICO’s expectations in terms of the controller’s responsibility 
or a loss of personal data in the hands of the courier and why the ICO’s 
guidance (https://ico.org.uk/media/for- 
organisations/documents/1546/data-controllers-and-data-processors-dp- 
guidance.pdf) states that the Royal Mail and couriers are neither 
ontrollers nor processors, yet providers of cloud hosting services (who 


equally have no control over the data that a customer stores in their 
systems) are processors. In particular, how this is reconciled with the 
Facebook and Jehovah’s Witnesses Cases on joint controllership. 


Q12 In what other ways do you think the 2011 code could be 
improved? 


Examples of when the ICO would expect to see a data sharing agreement 
n place and the ICO’s expectations in terms of content for different types 
of data sharing arrangements. 
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About you: 

Q13 Are you answering these questions as? 

A public sector worker 

A private sector worker 

A third or voluntary sector worker 

A member of the public 

A representative of a trade association 

A data subject 

An ICO employee 

Other 


Er ENE 


Qi4 If other please specify: 


Data protection law advisors 


Q15 Please provide more information about the type of organisation 
you work for, ie a bank, a housing association, a school. 


Q16 We may want to contact you about some of the points you have 
raised. If you are happy for us to do this please provide your email 
address: 


eee 


Thank you for taking the time to share your views and experience. 


